[vncterm.git] / tigerpatches / trust-manager.patch


 Unfortunately the java certificate store does not correctly access 
 the browser certificate store (firefox, chrome). We also tunnel VNC
 traffic from other cluster nodes.

 So we implement our own trust manager, and allow to pass the server 
 certificate (or CA who signed the server certificate) as applet 
 parameter "PVECert" (newline encoded as '|').

Index: new/java/src/com/tigervnc/vncviewer/X509Tunnel.java
===================================================================
--- new.orig/java/src/com/tigervnc/vncviewer/X509Tunnel.java	2013-04-20 15:24:59.000000000 +0200
+++ new/java/src/com/tigervnc/vncviewer/X509Tunnel.java	2013-04-20 15:28:55.000000000 +0200
@@ -26,13 +26,23 @@
 import javax.net.ssl.*;
 import java.security.*;
 import java.security.cert.*;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.io.*;
 
 public class X509Tunnel extends TLSTunnelBase
 {
 
-  public X509Tunnel (Socket sock_)
+  Certificate pvecert;
+
+  public X509Tunnel (Socket sock_, String certstr) throws CertificateException
   {
     super (sock_);
+
+    if (certstr != null) {
+      CertificateFactory cf = CertificateFactory.getInstance("X.509");
+      pvecert = cf.generateCertificate(new StringBufferInputStream(certstr));
+    }
   }
 
   protected void setParam (SSLSocket sock)
@@ -52,9 +62,51 @@
   protected void initContext (SSLContext sc) throws java.security.
     GeneralSecurityException
   {
-    TrustManager[] myTM = new TrustManager[]
-    {
-    new MyX509TrustManager ()};
+    TrustManager[] myTM;
+
+    if (pvecert != null) {
+      myTM = new TrustManager[] {
+	new X509TrustManager() {
+	  public java.security.cert.X509Certificate[]
+	  getAcceptedIssuers() {
+	    return null;
+	  }
+	  public void checkClientTrusted(
+	    java.security.cert.X509Certificate[] certs,
+	    String authType) throws CertificateException {
+	    throw new CertificateException("no clients");
+	  }
+	  public void checkServerTrusted(
+	    java.security.cert.X509Certificate[] certs,
+	    String authType) throws CertificateException {
+
+	    if (certs == null || certs.length < 1) {
+	      throw new CertificateException("no certs");
+	    }
+	    if (certs == null || certs.length > 1) {
+	      throw new CertificateException("cert path too long");
+	    }
+	    PublicKey cakey = pvecert.getPublicKey();
+
+	    boolean ca_match;
+	    try {
+	      certs[0].verify(cakey);
+	      ca_match = true;
+	    } catch (Exception e) {
+	      ca_match = false;
+	    }
+
+	    if (!ca_match && !pvecert.equals(certs[0])) {
+	      throw new CertificateException("certificate does not match");
+	    }
+	  }
+	}
+      };
+    } else {
+      myTM = new TrustManager[] {
+	new MyX509TrustManager ()
+      };
+    }
     sc.init (null, myTM, null);
   }
 
@@ -100,4 +152,5 @@
       return tm.getAcceptedIssuers ();
     }
   }
+
 }
Index: new/java/src/com/tigervnc/vncviewer/RfbProto.java
===================================================================
--- new.orig/java/src/com/tigervnc/vncviewer/RfbProto.java	2013-04-20 15:24:59.000000000 +0200
+++ new/java/src/com/tigervnc/vncviewer/RfbProto.java	2013-04-20 15:28:55.000000000 +0200
@@ -411,7 +411,8 @@
     }
 
     void authenticateX509() throws Exception {
-	X509Tunnel tunnel = new X509Tunnel(sock);
+
+      X509Tunnel tunnel = new X509Tunnel(sock, viewer.PVECert);
 	tunnel.setup (this);
     }
 
Index: new/java/src/com/tigervnc/vncviewer/VncViewer.java
===================================================================
--- new.orig/java/src/com/tigervnc/vncviewer/VncViewer.java	2013-04-20 15:28:42.000000000 +0200
+++ new/java/src/com/tigervnc/vncviewer/VncViewer.java	2013-04-20 15:29:55.000000000 +0200
@@ -91,6 +91,8 @@
   int debugStatsExcludeUpdates;
   int debugStatsMeasureUpdates;
 
+  String PVECert;
+
   // Reference to this applet for inter-applet communication.
   public static java.applet.Applet refApplet;
 
@@ -263,7 +265,7 @@
 	fatalError(e.toString(), e);
       }
     }
-    
+
   }
 
   //
@@ -299,7 +301,7 @@
   // If the rfbThread is being stopped, ignore any exceptions,
   // otherwise rethrow the exception so it can be handled.
   //
- 
+
   void processNormalProtocol() throws Exception {
     try {
       vc.processNormalProtocol();
@@ -842,6 +844,11 @@
 
     // SocketFactory.
     socketFactory = readParameter("SocketFactory", false);
+
+    String tmpcert = readParameter("PVECert", false);
+    if (tmpcert != null) {
+      PVECert = tmpcert.replace('|', '\n');
+    }
   }
 
   //
@@ -991,7 +998,7 @@
   }
 
   synchronized public void fatalError(String str, Exception e) {
- 
+
     if (rfb != null && rfb.closed()) {
       // Not necessary to show error message if the error was caused
       // by I/O problems after the rfb.close() method call.
@@ -1084,11 +1091,11 @@
   public void enableInput(boolean enable) {
     vc.enableInput(enable);
   }
-  
+
   //
   // Resize framebuffer if autoScale is enabled.
   //
-  
+
   public void componentResized(ComponentEvent e) {
     if (e.getComponent() == vncFrame) {
       if (options.autoScale) {
@@ -1100,11 +1107,11 @@
       }
     }
   }
-  
+
   //
   // Ignore component events we're not interested in.
   //
-  
+
   public void componentShown(ComponentEvent e) { }
   public void componentMoved(ComponentEvent e) { }
   public void componentHidden(ComponentEvent e) { }
Commit	Line	Data
e6d0212c DM	1
	2	Unfortunately the java certificate store does not correctly access
	3	the browser certificate store (firefox, chrome). We also tunnel VNC
	4	traffic from other cluster nodes.
	5
	6	So we implement our own trust manager, and allow to pass the server
	7	certificate (or CA who signed the server certificate) as applet
	8	parameter "PVECert" (newline encoded as '\|').
	9
	10	Index: new/java/src/com/tigervnc/vncviewer/X509Tunnel.java
	11	===================================================================
6b53b0de DM	12	--- new.orig/java/src/com/tigervnc/vncviewer/X509Tunnel.java 2013-04-20 15:24:59.000000000 +0200
6b53b0de DM	13	+++ new/java/src/com/tigervnc/vncviewer/X509Tunnel.java 2013-04-20 15:28:55.000000000 +0200
e6d0212c DM	14	@@ -26,13 +26,23 @@
	15	import javax.net.ssl.*;
	16	import java.security.*;
	17	import java.security.cert.*;
	18	+import java.security.cert.Certificate;
	19	+import java.security.cert.CertificateFactory;
	20	+import java.io.*;
	21
	22	public class X509Tunnel extends TLSTunnelBase
	23	{
	24
	25	- public X509Tunnel (Socket sock_)
	26	+ Certificate pvecert;
	27	+
	28	+ public X509Tunnel (Socket sock_, String certstr) throws CertificateException
	29	{
	30	super (sock_);
	31	+
	32	+ if (certstr != null) {
	33	+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
	34	+ pvecert = cf.generateCertificate(new StringBufferInputStream(certstr));
	35	+ }
	36	}
	37
	38	protected void setParam (SSLSocket sock)
	39	@@ -52,9 +62,51 @@
	40	protected void initContext (SSLContext sc) throws java.security.
	41	GeneralSecurityException
	42	{
	43	- TrustManager[] myTM = new TrustManager[]
	44	- {
	45	- new MyX509TrustManager ()};
	46	+ TrustManager[] myTM;
	47	+
	48	+ if (pvecert != null) {
	49	+ myTM = new TrustManager[] {
	50	+ new X509TrustManager() {
	51	+ public java.security.cert.X509Certificate[]
	52	+ getAcceptedIssuers() {
	53	+ return null;
	54	+ }
	55	+ public void checkClientTrusted(
	56	+ java.security.cert.X509Certificate[] certs,
	57	+ String authType) throws CertificateException {
	58	+ throw new CertificateException("no clients");
	59	+ }
	60	+ public void checkServerTrusted(
	61	+ java.security.cert.X509Certificate[] certs,
	62	+ String authType) throws CertificateException {
	63	+
	64	+ if (certs == null \|\| certs.length < 1) {
	65	+ throw new CertificateException("no certs");
	66	+ }
	67	+ if (certs == null \|\| certs.length > 1) {
	68	+ throw new CertificateException("cert path too long");
	69	+ }
	70	+ PublicKey cakey = pvecert.getPublicKey();
	71	+
	72	+ boolean ca_match;
	73	+ try {
	74	+ certs[0].verify(cakey);
	75	+ ca_match = true;
	76	+ } catch (Exception e) {
	77	+ ca_match = false;
78	+ }
79	+
80	+ if (!ca_match && !pvecert.equals(certs[0])) {
81	+ throw new CertificateException("certificate does not match");
82	+ }
83	+ }
84	+ }
85	+ };
86	+ } else {
87	+ myTM = new TrustManager[] {
88	+ new MyX509TrustManager ()
89	+ };
90	+ }
91	sc.init (null, myTM, null);
92	}
93
94	@@ -100,4 +152,5 @@
95	return tm.getAcceptedIssuers ();
96	}
97	}
98	+
99	}
100	Index: new/java/src/com/tigervnc/vncviewer/RfbProto.java
101	===================================================================
6b53b0de DM	102	--- new.orig/java/src/com/tigervnc/vncviewer/RfbProto.java 2013-04-20 15:24:59.000000000 +0200
6b53b0de DM	103	+++ new/java/src/com/tigervnc/vncviewer/RfbProto.java 2013-04-20 15:28:55.000000000 +0200
e6d0212c DM	104	@@ -411,7 +411,8 @@
	105	}
	106
	107	void authenticateX509() throws Exception {
	108	- X509Tunnel tunnel = new X509Tunnel(sock);
	109	+
	110	+ X509Tunnel tunnel = new X509Tunnel(sock, viewer.PVECert);
	111	tunnel.setup (this);
	112	}
	113
	114	Index: new/java/src/com/tigervnc/vncviewer/VncViewer.java
	115	===================================================================
6b53b0de DM	116	--- new.orig/java/src/com/tigervnc/vncviewer/VncViewer.java 2013-04-20 15:28:42.000000000 +0200
	117	+++ new/java/src/com/tigervnc/vncviewer/VncViewer.java 2013-04-20 15:29:55.000000000 +0200
	118	@@ -91,6 +91,8 @@
e6d0212c DM	119	int debugStatsExcludeUpdates;
	120	int debugStatsMeasureUpdates;
	121
	122	+ String PVECert;
	123	+
6b53b0de DM	124	// Reference to this applet for inter-applet communication.
6b53b0de DM	125	public static java.applet.Applet refApplet;
e6d0212c	126
6b53b0de	127	@@ -263,7 +265,7 @@
e6d0212c DM	128	fatalError(e.toString(), e);
	129	}
	130	}
	131	-
	132	+
	133	}
	134
	135	//
6b53b0de	136	@@ -299,7 +301,7 @@
e6d0212c DM	137	// If the rfbThread is being stopped, ignore any exceptions,
	138	// otherwise rethrow the exception so it can be handled.
	139	//
	140	-
	141	+
	142	void processNormalProtocol() throws Exception {
	143	try {
	144	vc.processNormalProtocol();
6b53b0de	145	@@ -842,6 +844,11 @@
e6d0212c DM	146
	147	// SocketFactory.
	148	socketFactory = readParameter("SocketFactory", false);
	149	+
	150	+ String tmpcert = readParameter("PVECert", false);
	151	+ if (tmpcert != null) {
	152	+ PVECert = tmpcert.replace('\|', '\n');
	153	+ }
	154	}
	155
	156	//
6b53b0de	157	@@ -991,7 +998,7 @@
e6d0212c DM	158	}
	159
	160	synchronized public void fatalError(String str, Exception e) {
	161	-
	162	+
	163	if (rfb != null && rfb.closed()) {
	164	// Not necessary to show error message if the error was caused
	165	// by I/O problems after the rfb.close() method call.
6b53b0de	166	@@ -1084,11 +1091,11 @@
e6d0212c DM	167	public void enableInput(boolean enable) {
	168	vc.enableInput(enable);
	169	}
	170	-
	171	+
	172	//
	173	// Resize framebuffer if autoScale is enabled.
	174	//
	175	-
	176	+
	177	public void componentResized(ComponentEvent e) {
	178	if (e.getComponent() == vncFrame) {
	179	if (options.autoScale) {
6b53b0de	180	@@ -1100,11 +1107,11 @@
e6d0212c DM	181	}
	182	}
	183	}
	184	-
	185	+
	186	//
	187	// Ignore component events we're not interested in.
	188	//
	189	-
	190	+
	191	public void componentShown(ComponentEvent e) { }
	192	public void componentMoved(ComponentEvent e) { }
	193	public void componentHidden(ComponentEvent e) { }